From fec14fa40564bb199735c8afdf890659bc5ee214 Mon Sep 17 00:00:00 2001
From: Jonhnathan <jonhnathancesar@gmail.com>
Date: Thu, 15 Oct 2020 18:19:36 -0300
Subject: [PATCH] Update win_plugx_susp_exe_locations.yml

---
 .../win_plugx_susp_exe_locations.yml          | 90 +++++++++----------
 1 file changed, 45 insertions(+), 45 deletions(-)

diff --git a/rules/windows/process_creation/win_plugx_susp_exe_locations.yml b/rules/windows/process_creation/win_plugx_susp_exe_locations.yml
index 557ac9154..282920701 100644
--- a/rules/windows/process_creation/win_plugx_susp_exe_locations.yml
+++ b/rules/windows/process_creation/win_plugx_susp_exe_locations.yml
@@ -17,74 +17,74 @@ logsource:
     product: windows
 detection:
     selection_cammute:
-        Image: '*\CamMute.exe'
+        Image|endswith: '\CamMute.exe'
     filter_cammute:
-        Image: '*\Lenovo\Communication Utility\\*'
+        Image|contains: '\Lenovo\Communication Utility\\'
     selection_chrome_frame:
-        Image: '*\chrome_frame_helper.exe'
+        Image|endswith: '\chrome_frame_helper.exe'
     filter_chrome_frame:
-        Image: '*\Google\Chrome\application\\*'
+        Image|contains: '\Google\Chrome\application\\'
     selection_devemu:
-        Image: '*\dvcemumanager.exe'
+        Image|endswith: '\dvcemumanager.exe'
     filter_devemu:
-        Image: '*\Microsoft Device Emulator\\*'
+        Image|contains: '\Microsoft Device Emulator\\'
     selection_gadget:
-        Image: '*\Gadget.exe'
+        Image|endswith: '\Gadget.exe'
     filter_gadget:
-        Image: '*\Windows Media Player\\*'
+        Image|contains: '\Windows Media Player\\'
     selection_hcc:
-        Image: '*\hcc.exe'
+        Image|endswith: '\hcc.exe'
     filter_hcc:
-        Image: '*\HTML Help Workshop\\*'
+        Image|contains: '\HTML Help Workshop\\'
     selection_hkcmd:
-        Image: '*\hkcmd.exe'
+        Image|endswith: '\hkcmd.exe'
     filter_hkcmd:
-        Image:
-            - '*\System32\\*'
-            - '*\SysNative\\*'
-            - '*\SysWowo64\\*'
+        Image|contains:
+            - '\System32\\'
+            - '\SysNative\\'
+            - '\SysWowo64\\'
     selection_mc:
-        Image: '*\Mc.exe'
+        Image|endswith: '\Mc.exe'
     filter_mc:
-        Image:
-            - '*\Microsoft Visual Studio*'
-            - '*\Microsoft SDK*'
-            - '*\Windows Kit*'
+        Image|contains:
+            - '\Microsoft Visual Studio'
+            - '\Microsoft SDK'
+            - '\Windows Kit'
     selection_msmpeng:
-        Image: '*\MsMpEng.exe'
+        Image|endswith: '\MsMpEng.exe'
     filter_msmpeng:
-        Image:
-            - '*\Microsoft Security Client\\*'
-            - '*\Windows Defender\\*'
-            - '*\AntiMalware\\*'
+        Image|contains:
+            - '\Microsoft Security Client\\'
+            - '\Windows Defender\\'
+            - '\AntiMalware\\'
     selection_msseces:
-        Image: '*\msseces.exe'
+        Image|endswith: '\msseces.exe'
     filter_msseces:
-        Image:
-            - '*\Microsoft Security Center\\*'
-            - '*\Microsoft Security Client\\*'
-            - '*\Microsoft Security Essentials\\*'
+        Image|contains:
+            - '\Microsoft Security Center\\'
+            - '\Microsoft Security Client\\'
+            - '\Microsoft Security Essentials\\'
     selection_oinfo:
-        Image: '*\OInfoP11.exe'
+        Image|endswith: '\OInfoP11.exe'
     filter_oinfo:
-        Image: '*\Common Files\Microsoft Shared\\*'
+        Image|contains: '\Common Files\Microsoft Shared\\'
     selection_oleview:
-        Image: '*\OleView.exe'
+        Image|endswith: '\OleView.exe'
     filter_oleview:
-        Image:
-            - '*\Microsoft Visual Studio*'
-            - '*\Microsoft SDK*'
-            - '*\Windows Kit*'
-            - '*\Windows Resource Kit\\*'
+        Image|contains:
+            - '\Microsoft Visual Studio'
+            - '\Microsoft SDK'
+            - '\Windows Kit'
+            - '\Windows Resource Kit\\'
     selection_rc:
-        Image: '*\rc.exe'
+        Image|endswith: '\rc.exe'
     filter_rc:
-        Image:
-            - '*\Microsoft Visual Studio*'
-            - '*\Microsoft SDK*'
-            - '*\Windows Kit*'
-            - '*\Windows Resource Kit\\*'
-            - '*\Microsoft.NET\\*'
+        Image|contains:
+            - '\Microsoft Visual Studio'
+            - '\Microsoft SDK'
+            - '\Windows Kit'
+            - '\Windows Resource Kit\\'
+            - '\Microsoft.NET\\'
     condition: ( selection_cammute and not filter_cammute ) or ( selection_chrome_frame and not filter_chrome_frame ) or ( selection_devemu and not filter_devemu ) or ( selection_gadget and not filter_gadget ) or ( selection_hcc and not filter_hcc ) or ( selection_hkcmd and not filter_hkcmd ) or ( selection_mc and not filter_mc ) or ( selection_msmpeng and not filter_msmpeng ) or ( selection_msseces and not filter_msseces ) or ( selection_oinfo and not filter_oinfo ) or ( selection_oleview and not filter_oleview ) or ( selection_rc and not filter_rc )
 fields:
     - CommandLine